<p><a href="https://en.wikipedia.org/wiki/HTTP_referer">HTTP header referer</a> contains a URL set by web browsers and used by applications to track
from where the user came from, it’s for instance a relevant value for web analytic services, but it can cause <a
href="https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">serious privacy and security problems</a>
if the URL contains confidential information. Note that Firefox for instance, to prevent data leaks, <a
href="https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/">removes path
information</a> in the Referer header while browsing privately.</p>
<p>Suppose an e-commerce website asks the user his credit card number to purchase a product:</p>
<pre>
&lt;html&gt;
&lt;body&gt;
&lt;form action="/valid_order" method="GET"&gt;
Type your credit card number to purchase products:
&lt;input type=text id="cc" value="1111-2222-3333-4444"&gt;
&lt;input type=submit&gt;
&lt;/form&gt;
&lt;/body&gt;
</pre>
<p>When submitting the above HTML form, a HTTP GET request will be performed, the URL requested will be
https://example.com/valid_order?cc=1111-2222-3333-4444 with credit card number inside and it’s obviously not secure for these reasons:</p>
<ul>
  <li> URLs are stored in the history of browsers. </li>
  <li> URLs could be accidentally shared when doing copy/paste actions. </li>
  <li> URLs can be stolen if a malicious person looks at the computer screen of an user. </li>
</ul>
<p>In addition to these threats, when further requests will be performed from the "valid_order" page with a simple legitimate embedded script like
that:</p>
<pre>
&lt;script src="https://webanalyticservices_example.com/track"&gt;
</pre>
<p>The referer header which contains confidential information will be send to a third party web analytic service and cause privacy issue:</p>
<pre>
GET /track HTTP/2.0
Host: webanalyticservices_example.com
Referer: https://example.com/valid_order?cc=1111-2222-3333-4444
</pre>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> Confidential information exists in URLs. </li>
  <li> Semantic of HTTP methods is not respected (eg: use of a GET method instead of POST when the state of the application is changed). </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>Confidential information should not be set inside URLs (GET requests) of the application and a safe (ie: different from <code>unsafe-url</code> or
<code>no-referrer-when-downgrade</code>) <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy">referrer-Policy</a>
header, to control how much information is included in the referer header, should be used.</p>
<h2>Sensitive Code Example</h2>
<p>In Express.js application the code is sensitive if the <a href="https://www.npmjs.com/package/helmet">helmet</a> <code>referrerPolicy</code>
middleware is disabled or used with <code>no-referrer-when-downgrade</code> or <code>unsafe-url</code>:</p>
<pre>
const express = require('express');
const helmet = require('helmet');

app.use(
  helmet.referrerPolicy({
    policy: 'no-referrer-when-downgrade' // Sensitive: no-referrer-when-downgrade is used
  })
);
</pre>
<h2>Compliant Solution</h2>
<p>In Express.js application a secure solution is to user the <a href="https://www.npmjs.com/package/helmet">helmet</a> referrer policy middleware set
to <code>no-referrer</code>:</p>
<pre>
const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(
  helmet.referrerPolicy({
    policy: 'no-referrer' // Compliant
  })
);
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">Top 10 2021 Category A1 - Broken Access Control</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
  Exposure</a> </li>
  <li> <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy">developer.mozilla.org</a> - Referrer-Policy </li>
  <li> <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">developer.mozilla.org</a> -
  Referer header: privacy and security concerns </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/200">CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor</a> </li>
</ul>
